{"id":13466992,"url":"https://github.com/microsoft/onefuzz","last_synced_at":"2025-09-27T00:31:25.608Z","repository":{"id":37105800,"uuid":"283030627","full_name":"microsoft/onefuzz","owner":"microsoft","description":"A self-hosted Fuzzing-As-A-Service platform","archived":true,"fork":false,"pushed_at":"2023-11-01T09:22:49.000Z","size":22622,"stargazers_count":2828,"open_issues_count":233,"forks_count":198,"subscribers_count":90,"default_branch":"main","last_synced_at":"2025-09-24T00:37:26.945Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/microsoft.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"docs/supported-platforms.md","governance":null,"roadmap":null,"authors":null}},"created_at":"2020-07-27T22:23:30.000Z","updated_at":"2025-09-19T13:16:43.000Z","dependencies_parsed_at":"2022-07-13T16:44:27.469Z","dependency_job_id":"c08547fe-4e85-4522-9ea4-e4848199f24e","html_url":"https://github.com/microsoft/onefuzz","commit_stats":{"total_commits":2167,"total_committers":41,"mean_commits":"52.853658536585364","dds":0.6995846792801108,"last_synced_commit":"82fffbe8adc047f055cb4fddcae17e9e1244423e"},"previous_names":[],"tags_count":111,"template":false,"template_full_name":null,"purl":"pkg:github/microsoft/onefuzz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fonefuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fonefuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fonefuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fonefuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/microsoft","download_url":"https://codeload.github.com/microsoft/onefuzz/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fonefuzz/sbom","scorecard":{"id":643432,"data":{"date":"2025-08-11","repo":{"name":"github.com/microsoft/onefuzz","commit":"82fffbe8adc047f055cb4fddcae17e9e1244423e"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.2,"checks":[{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/sync-issue-to azure-devops-work-item.yml:1","Warn: no topLevel permission defined: .github/workflows/validate-devcontainer.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: src/utils/check-pr/__pycache__/cleanup_ad.cpython-38.pyc:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: RustCargoFuzzer integration found: src/agent/coverage/fuzz/fuzz_targets/fuzz_target_allowlist_parse.rs:3","Info: RustCargoFuzzer integration found: src/agent/coverage/fuzz/fuzz_targets/fuzz_target_record_coverage.rs:3","Info: RustCargoFuzzer integration found: src/agent/libclusterfuzz/src/generated.rs:117","Info: RustCargoFuzzer integration found: src/integration-tests/libfuzzer-rust/fuzz/fuzz_targets/fuzz_target_1.rs:2"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 8.9.0 not signed: https://api.github.com/repos/microsoft/onefuzz/releases/124317348","Warn: release artifact 8.8.0 not signed: https://api.github.com/repos/microsoft/onefuzz/releases/120145276","Warn: release artifact 8.7.1 not signed: https://api.github.com/repos/microsoft/onefuzz/releases/119121837","Warn: release artifact 8.7.0 not signed: https://api.github.com/repos/microsoft/onefuzz/releases/117810183","Warn: release artifact 8.6.3 not signed: https://api.github.com/repos/microsoft/onefuzz/releases/115039324","Warn: release artifact 8.9.0 does not have provenance: https://api.github.com/repos/microsoft/onefuzz/releases/124317348","Warn: release artifact 8.8.0 does not have provenance: https://api.github.com/repos/microsoft/onefuzz/releases/120145276","Warn: release artifact 8.7.1 does not have provenance: https://api.github.com/repos/microsoft/onefuzz/releases/119121837","Warn: release artifact 8.7.0 does not have provenance: https://api.github.com/repos/microsoft/onefuzz/releases/117810183","Warn: release artifact 8.6.3 does not have provenance: https://api.github.com/repos/microsoft/onefuzz/releases/115039324"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Info: Possibly incomplete results: error parsing shell code: \u0026 can only immediately follow a statement: src/runtime-tools/win64/Dockerfile:14","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:255: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:257: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:284: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:317: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:324: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:325: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:332: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:339: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:340: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:347: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:365: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:367: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:373: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:166: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:239: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:380: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:382: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:392: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:416: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:417: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:426: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:671: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:672: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:676: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:536: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:539: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:601: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:223: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:225: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:229: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:355: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:356: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:399: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:400: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:409: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:445: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:446: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:450: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:454: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:458: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:462: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:466: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:470: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:474: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:478: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:482: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:529: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:609: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:612: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:660: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:208: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-issue-to azure-devops-work-item.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/sync-issue-to azure-devops-work-item.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-devcontainer.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/validate-devcontainer.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/validate-devcontainer.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/validate-devcontainer.yml/main?enable=pin","Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:5","Warn: containerImage not pinned by hash: src/Dockerfile:6","Warn: containerImage not pinned by hash: src/Dockerfile:35: pin your Docker image by updating mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04 to mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04@sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19","Warn: containerImage not pinned by hash: src/runtime-tools/linux/Dockerfile:4: pin your Docker image by updating mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04 to mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04@sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19","Warn: containerImage not pinned by hash: src/runtime-tools/win64/Dockerfile:6","Warn: downloadThenRun not pinned by hash: .devcontainer/Dockerfile:20","Warn: pipCommand not pinned by hash: src/Dockerfile:16-24","Warn: npmCommand not pinned by hash: .devcontainer/install-dependencies.sh:12","Warn: pipCommand not pinned by hash: .devcontainer/install-dependencies.sh:15","Warn: nugetCommand not pinned by hash: .devcontainer/post-create-script.sh:13: pin your dependecies by either enabling central package management (https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management) or using a lockfile (https://learn.microsoft.com/nuget/consume-packages/package-references-in-project-files#locking-dependencies)","Warn: pipCommand not pinned by hash: .devcontainer/post-create-script.sh:24","Warn: pipCommand not pinned by hash: .devcontainer/post-create-script.sh:30","Warn: pipCommand not pinned by hash: .devcontainer/post-create-script.sh:35","Warn: pipCommand not pinned by hash: src/ci/check-check-pr.sh:6","Warn: pipCommand not pinned by hash: src/ci/check-check-pr.sh:7","Warn: pipCommand not pinned by hash: src/ci/onefuzztypes.sh:11","Warn: pipCommand not pinned by hash: src/ci/onefuzztypes.sh:14","Warn: pipCommand not pinned by hash: src/ci/onefuzztypes.sh:27","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:490","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:491","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:153","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:154","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:157","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:158","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:176","Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:266","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:199","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:200","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:217","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:218","Info:   0 out of  68 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of  10 third-party GitHubAction dependencies pinned","Info:   0 out of   5 containerImage dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   2 out of  23 pipCommand dependencies pinned","Info:   0 out of   2 npmCommand dependencies pinned","Info:   2 out of   3 nugetCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":0,"reason":"61 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2024-48 / GHSA-fj7x-q9j7-g6q6","Warn: Project is vulnerable to: PYSEC-2024-230 / GHSA-248v-346w-9cwc","Warn: Project is vulnerable to: PYSEC-2024-60 / GHSA-jjg7-2v4v-x38h","Warn: Project is vulnerable to: PYSEC-2023-228 / GHSA-mq26-g339-26xf","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2025-49 / GHSA-5rjg-fvgr-3xxf","Warn: Project is vulnerable to: GHSA-cx63-2mw6-8hw5","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v","Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f","Warn: Project is vulnerable to: PYSEC-2023-120 / GHSA-45c4-8wx5-qw6w","Warn: Project is vulnerable to: GHSA-5m98-qgg9-wh84","Warn: Project is vulnerable to: GHSA-7gpw-8wmc-pm8g","Warn: Project is vulnerable to: GHSA-8495-4g3g-x7pr","Warn: Project is vulnerable to: PYSEC-2024-26 / GHSA-8qpw-xqxj-h4r2","Warn: Project is vulnerable to: GHSA-9548-qrrj-x5pj","Warn: Project is vulnerable to: PYSEC-2023-246 / GHSA-gfw2-4jvh-wgfg","Warn: Project is vulnerable to: GHSA-pjjw-qhg8-p2p9","Warn: Project is vulnerable to: PYSEC-2023-250 / GHSA-q3qx-c6g2-7pw2","Warn: Project is vulnerable to: PYSEC-2023-251 / GHSA-qvrw-v9rv-5rjx","Warn: Project is vulnerable to: PYSEC-2021-76 / GHSA-v6wp-4m6f-gcjg","Warn: Project is vulnerable to: PYSEC-2023-247 / GHSA-xx9p-xxvh-7g8j","Warn: Project is vulnerable to: GHSA-m5vv-6r4h-3vj9","Warn: Project is vulnerable to: GHSA-wvxc-855f-jvrv","Warn: Project is vulnerable to: GHSA-x674-v45j-fwxw","Warn: Project is vulnerable to: GHSA-59j7-ghrg-fj52","Warn: Project is vulnerable to: GHSA-98g6-xh36-x2p7","Warn: Project is vulnerable to: GHSA-447r-wph3-92pm","Warn: Project is vulnerable to: GHSA-8g4q-xg66-9fp4","Warn: Project is vulnerable to: GHSA-2rxc-gjrp-vjhx","Warn: Project is vulnerable to: RUSTSEC-2024-0404","Warn: Project is vulnerable to: RUSTSEC-2025-0012","Warn: Project is vulnerable to: RUSTSEC-2024-0388","Warn: Project is vulnerable to: RUSTSEC-2024-0003 / GHSA-8r5v-vm4m-4g25","Warn: Project is vulnerable to: RUSTSEC-2024-0332 / GHSA-q6cp-qfwq-4gcv","Warn: Project is vulnerable to: RUSTSEC-2024-0421 / GHSA-h97m-ww89-6jmq","Warn: Project is vulnerable to: RUSTSEC-2024-0384","Warn: Project is vulnerable to: RUSTSEC-2024-0019 / GHSA-r8w9-5wcg-vfj7","Warn: Project is vulnerable to: RUSTSEC-2020-0016","Warn: Project is vulnerable to: RUSTSEC-2023-0072 / GHSA-xphf-cx8h-7q9g","Warn: Project is vulnerable to: GHSA-q445-7m23-qrmw","Warn: Project is vulnerable to: RUSTSEC-2024-0357","Warn: Project is vulnerable to: RUSTSEC-2025-0004 / GHSA-rpmj-rpgj-qmpm","Warn: Project is vulnerable to: GHSA-4fcv-w3qc-ppgg","Warn: Project is vulnerable to: RUSTSEC-2025-0022","Warn: Project is vulnerable to: RUSTSEC-2024-0436","Warn: Project is vulnerable to: GHSA-c827-hfw6-qwvm","Warn: Project is vulnerable to: RUSTSEC-2024-0006 / GHSA-r7qv-8r2h-pg27","Warn: Project is vulnerable to: GHSA-rr8g-9fpq-6wmg","Warn: Project is vulnerable to: RUSTSEC-2025-0023","Warn: Project is vulnerable to: RUSTSEC-2023-0075 / GHSA-r24f-hg58-vfrw","Warn: Project is vulnerable to: RUSTSEC-2024-0320","Warn: Project is vulnerable to: PYSEC-2020-175 / GHSA-7fcj-pq9j-wh2r","Warn: Project is vulnerable to: PYSEC-2023-292 / GHSA-9w2p-rh8c-v9g5","Warn: Project is vulnerable to: PYSEC-2013-22 / GHSA-27x4-j476-jp5f","Warn: Project is vulnerable to: PYSEC-2022-43012 / GHSA-r9hx-vwmv-q579","Warn: Project is vulnerable to: PYSEC-2022-43017 / GHSA-qwmp-2cf2-g9g6","Warn: Project is vulnerable to: PYSEC-2021-47 / GHSA-5jqp-qgf6-3pvh","Warn: Project is vulnerable to: GHSA-mr82-8j83-vxmv"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-21T11:25:38.336Z","repository_id":37105800,"created_at":"2025-08-21T11:25:38.336Z","updated_at":"2025-08-21T11:25:38.336Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276683834,"owners_count":25685629,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-24T02:00:09.776Z","response_time":97,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T15:00:52.072Z","updated_at":"2025-09-27T00:31:22.494Z","avatar_url":"https://github.com/microsoft.png","language":"C#","readme":"# \u003cimg src=\"docs/onefuzz_text.svg\" height=\"120\" alt=\"OneFuzz\" /\u003e\n\n# :exclamation: IMPORTANT NOTICE :exclamation:\n\n**_August 31, 2023_**.\n\n**_Since September 2020 when OneFuzz was first open sourced, we’ve been on a journey to create a best-in-class orchestrator for running fuzzers, driving security and quality into our products._**\n \n \n**_Initially launched by a small group in MSR, OneFuzz has now become a significant internal platform within Microsoft. As such, we are regretfully archiving the project to focus our attention on becoming a more deeply integrated service within the company. Unfortunately, we aren’t a large enough team to live in both the open-source world and the internal Microsoft world with its own unique set of requirements._**\n \n**_Our current plan is to archive the project in the next few months. That means we’ll still be making updates for a little while. Of course, even after it’s archived, you’ll still be able to fork it and make the changes you need. Once we’ve decided on a specific date for archiving, we’ll update this readme._**\n \n**_Thanks for taking the journey with us._**\n\n**_The OneFuzz team._**\n\n---\n**_Update: September 15 2023:_**\n**_Our current target to archive the project is September 30th, 2023._**\n\n---\n\n[![Onefuzz build status](https://github.com/microsoft/onefuzz/workflows/Build/badge.svg?branch=main)](https://github.com/microsoft/onefuzz/actions/workflows/ci.yml?query=branch%3Amain)\n\n## A self-hosted Fuzzing-As-A-Service platform\n\nProject OneFuzz enables continuous developer-driven fuzzing to proactively\nharden software prior to release.  With a [single \ncommand](docs/getting-started.md#launching-a-job), which can be [baked into\nCICD](contrib/onefuzz-job-github-actions/README.md), developers can launch\nfuzz jobs from a few virtual machines to thousands of cores.\n\n## Features\n\n* **Composable fuzzing workflows**: Open source allows users to onboard their own \n   fuzzers, [swap instrumentation](docs/custom-analysis.md), and manage seed inputs. \n* **Built-in ensemble fuzzing**: By default, fuzzers work as a team to share strengths, \n   swapping inputs of interest between fuzzing technologies.\n* **Programmatic triage and result de-duplication**: It provides unique flaw cases that \n   always reproduce.\n* **On-demand live-debugging of found crashes**: It lets you summon a live debugging\n   session on-demand or from your build system.\n* **Observable and Debug-able**: Transparent design allows introspection into every \n   stage.\n* **Fuzz on Windows and Linux**: Multi-platform by design. Fuzz using your own [OS \n   build](docs/custom-images.md), kernel, or nested hypervisor.\n* **Crash reporting notification callbacks**: Including [Azure DevOps Work\n   Items](docs/notifications/ado.md) and [Microsoft Teams\n   messages](docs/notifications/teams.md)\n\nFor information, check out some of our guides:\n* [Terminology](docs/terminology.md)\n* [Getting Started](docs/getting-started.md)\n* [Supported Platforms](docs/supported-platforms.md)\n* [More documentation](docs)\n\nAre you a Microsoft employee interested in fuzzing?  Join us on Teams at [Fuzzing @ Microsoft](https://aka.ms/fuzzingatmicrosoft).\n\n## Contributing\n\nThis project welcomes contributions and suggestions. Most contributions require\nyou to agree to a Contributor License Agreement (CLA) declaring that you have\nthe right to, and actually do, grant us the rights to use your contribution.\nFor details, visit [https://cla.microsoft.com](https://cla.microsoft.com).\n\nWhen you submit a pull request, a CLA-bot will automatically determine whether\nyou need to provide a CLA and decorate the PR appropriately (e.g., label,\ncomment). Simply follow the instructions provided by the bot. You will only\nneed to do this once across all repositories using our CLA.\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).\nFor more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)\nor contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any\nadditional questions or comments.\n\n## Data Collection\n\nThe software may collect information about you and your use of the software and\nsend it to Microsoft. Microsoft may use this information to provide services\nand improve our products and services. You may [turn off the telemetry as\ndescribed in the\nrepository](docs/telemetry.md#how-to-disable-sending-telemetry-to-microsoft).\nThere are also some features in the software that may enable you and Microsoft\nto collect data from users of your applications. If you use these features, you\nmust comply with applicable law, including providing appropriate notices to\nusers of your applications together with a copy of Microsoft's privacy\nstatement. Our privacy statement is located at\nhttps://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data\ncollection and use in the help documentation and our privacy statement. Your\nuse of the software operates as your consent to these practices.\n\nFor more information:\n* [Onefuzz Telemetry Details](docs/telemetry.md)\n\n## Reporting Security Issues\n\nSecurity issues and bugs should be reported privately to the Microsoft Security\nResponse Center (MSRC).  For more information, please see\n[SECURITY.md](SECURITY.md).\n","funding_links":[],"categories":["C#","C# #","DevSecOps","Vulnerability Assessment","Rust","Projects Using Pydantic","Python (1887)","Application Security","Project","Secure Programming"],"sub_categories":["Fuzzing","Machine Learning","API Fuzzing","Program Analysis"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fonefuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicrosoft%2Fonefuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fonefuzz/lists"}